Description
-----------
A vulnerability in Cryptsetup, concretely in the scripts that unlock the
system partition when the partition is ciphered using LUKS (Linux
Unified Key Setup).
This vulnerability allows to obtain a root initramfs shell on affected
systems. The vulnerability is very reliable because it doesn't depend on
specific systems or configurations. Attackers can copy, modify or
destroy the hard disc as well as set up the network to exflitrate data.
In cloud environments it is also possible to remotely exploit this
vulnerability without having "physical access."
Full description:
-----------------
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_she
ll.html
Affected package
----------------
Cryptsetup <= 2:1
CVE-ID
------
CVE-2016-4484
Description
-----------
A vulnerability in Cryptsetup, concretely in the scripts that unlock the
system partition when the partition is ciphered using LUKS (Linux
Unified Key Setup).
This vulnerability allows to obtain a root initramfs shell on affected
systems. The vulnerability is very reliable because it doesn't depend on
specific systems or configurations. Attackers can copy, modify or
destroy the hard disc as well as set up the network to exflitrate data.
In cloud environments it is also possible to remotely exploit this
vulnerability without having "physical access."
Full description:
-----------------
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_she
ll.html
Regards,
Hector Marco & Ismael Ripoll.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJYKiJ/AAoJEPjdiC0+ZMlG5e4P/0bZtixZEJS5mOwBWZ+PVWjf
Dk4vKH43nOxGRDAqBSsCadzvUWLu+g1ZJtThfY+Iki9dewGEeT0mdZTcXWkg/ILz
JIcObtrEr6EeQV87mcreNAmYBf4OTlxVbePC9AGI5OsYbkYgg+2DfeNOyq0ref3D
96I+2WLjFv5qXoqRB6gY0S0qETcZsm7J866Yuihl00PMjz+j2+rsxffI4WRafn0O
lkYKL3KO3slE4t+WgyYy4nY2mIuh5csifiqVwzcm7LawSTlUpTjoutswFXp0jKyj
W1Vpx0clYSZ0dEj/Ob2aYSF8167RD8KlsqN77IFPJNfW7gX7bYJUz6T9X/RWK2Jz
jb2xEH/0YMbbkwkzNM0TYkO/CLT86AQL5tOXfl7TBx4OgZe8pkXp+NcCK9sW9Jrz
0j1bfXc8LBQJsWYpyEYzCxz455v9mJaNAyGxLmWuSX7i+smNT3q6ZzL0+oOo9Nyl
1+maWcdEx6EaZLl6doPRpErVyM25XHoiKjj336d/DyC93v5e7fBkbkWgDc/3aNju
z9KWGOuMZNu8fjkRA2S5dRpvuB6llXYEb0Bzw9iOMjAW7AVGxNcaWJ/3BtI8VdSI
KvUTS9nAw4wEF9hN9uA3UVKT04mDEXUQ7MMrG6xJ6GBLX+Knm99hRihVbdWkY4Ca
JEpiM8WleT3OOg9YeLi8
=miOW
-----END PGP SIGNATURE-----
[ reply ]